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Abstract 

Entanglement purification provides a unifying framework for proving the 
security of quantum key distribution schemes. Nonetheless, up till now, a 
local commutability constraint in the CSS code construction means that the 
error correction and privacy amplification procedures of BB84 are not fully 
decoupled. Here, I provide a method to decouple the two processes completely. 
The method requires Alice and Bob to share some initial secret string and use 
it to encrypt the bit-flip error syndrome using one-time-pad encryption. As 
an application, I prove the unconditional security of the interactive Cascade 
protocol, proposed by Brassard and Salvail for error correction, modified by 
one-time-pad encryption of the error syndrome, and followed by the random 
matrix protocol for privacy amplification. This is an efficient protocol in terms 
of both computational power and key generation rate. 
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I. INTRODUCTION 



An important application of quantum information processing is quantum key distribu- 
tion (QKD) [1]J2|]. The goal of QKD is to allow two communicating parties to detect any 
eavesdropper. Unlike conventional key distribution scheme, QKD makes no assumptions on 
the eavesdropper's computing power. Rather, the security of QKD is supposed to be based 
on the fundamental laws of quantum mechanics. 

Security proofs of QKD is an important but difficult problem in quantum information 
theory. Recently, entanglement purification fHH] has become a fruitful avenue of studying 
the security of QKD. Roughly speaking, entanglement purification is a generalized form 
of quantum error correction for a quantum communication channel, rather than quantum 
storage which is dealt with by standard quantum error correction. It was first suggested 
by Deutsch et al. that entanglement purification procotols (EPPs) can correct errors 
introduced by the eavesdroppers and allow the two communicating parties, Alice and Bob, 
to obtain perfectly entangled (i.e., quantum-mechanically correlated) quantum systems, so- 
called EPR pairs, from which they can generate a secure key. 

A proof of security by Mayers applies to a standard QKD scheme, BB84 [|IJ , published 
by Bennett and Brassard in 1984. Mayers' proof makes no explicit reference to entanglement 
purification, but is rather complex. A proof of security of QKD based on entanglement 
purification has been provided by by Lo and Chau j7|. It has the advantage of being intuitive 
and conceptually simple, but it requires that Alice and Bob possess quantum computers for 
its implementation. Recently, Shor and Preskill || has removed this requirement and applied 
the approach of entanglemen purification to prove the security of BB84 [|l|. Other proofs of 
security of QKD that make no explicit reference to entanglement purification include |9,10 



Recently, a security proof with a practical set-up (weak coherent states, lossy channels and 
inefficient detectors, etc) has been presented by Inamori, Liitkenhaus and Mayers [ |i~Tf . 

Recall that error correction and privacy amplification are necessary in the generation 
of the final secure key from the raw quantum transmission date. Error correction ensures 
that Alice and Bob will share a common string and, roughly speaking, privacy amplification 
ensures that Eve most likely knows almost nothing about the key. Unfortunately, so far the 
application of entanglement purification approach to QKD implies a non-trivial constraint 
between the two processes, namely the corresponding measurement operators employed by 
Alice and Bob must be locally commuting. Such a local commutability constraint means that 
the two processes are not totally decoupled from each other. Therefore, it is not entirely 
obvious how to study error correction and privacy amplification independently. 

In this paper, I propose a novel method to remove this local commutability constraint, 
thus allowing us to decouple the error correction process from the privacy amplification 
process. This amounts to much simplification in the study of both processes. In the EPP 
picture, the proposed method requires Alice and Bob to share some ancillary pre-distributed 
pure EPR pairs. Instead of measuring the (bit-flip) error syndrome directly, each user collects 
the output into those ancillary EPR pairs and measures those pairs. (A specific instance, 
so-called breeding method, of such a general method, was used in ||.) In the BB84 picture, 
the proposed method requires Alice and Bob to share initially some common secret ancillary 
binary string, a. Instead of annoucing the bit-flip error syndrome, which is a binary string 
x, each user encrypts the error syndrome bit-wise using a as a one-time pad and announces 
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the encrypted version, y = x + a (mod 2), bit- wise. 

As an application of the proposed method, I consider a rather general class of clas- 
sical error correction methods — the so-called symmetric stabilizer-basedP] schemes — which 
may involve either one-way or two-way classical communications. I show that any symmet- 
ric stabilizer-based scheme can be modified and subsequently combined with any symmet- 
ric stabilizer-based privacy amplification procedure into an unconditionally secure protocol 
for QKD. This means that one can study the two processes — error correction and privacy 
amplification — independently. Such a decoupling of error correction from privacy amplifica- 
tion allows one to simplify the analysis of security of a general error correction scheme. 

As an application, I prove the unconditional security of a modified version of the Cascade 
scheme |12| for error correction invented by Brassard and Salvail, (followed by, for example, 
a random hashing procedure for privacy amplification ||). This is the first time such a 
computationally efficient scheme has been proven to be secure. Therefore, the result is of 
practical interest. 

Finally, note that the proposed method can be employed as a sub-routine in concatenated 
entanglement purification procedures, including those involving two-way classical communi- 



cations, as studied by |13j and those involving degenerate codes [Ibi 



II. MOTIVATION 

A key motivation of this work is to provide a rigorous proof of security of interactive 
protocols for error correction in QKD. Let me explain in detail. In QKD, one often has to 
perform error correction at a rather high bit error rate of say a few percents, which is much 
higher than the typical value of say 10~ 5 in conventional communications. Moreover, one 
would like the key generation rate to remain high. As a rule of thumb, the fewer bits are 
exchanged between Alice and Bob, the higher the key generation rate. Furthermore, one 
would like to implement a QKD scheme efficiently That is to say with a minimal amount of 
computational power. In a general implementation of QKD, it is a highly complex question 
what the trade-off between the various parameters — tolerable error rate, key generation rate, 
computational power — would be the best. 

Forward error correction is commonly employed in conventional communications and 
works efficiently at low error rates. Unfortunately, QKD has a high bit error rate. If 
forward error correction is employed in QKD, a very large block size of order 10 5 would 
probably be needed. This translates to a large amount of computing power.Q 

Two-way communications between Alice and Bob are useful in reducing the required 
computing power for error correction. In the literature, several interactive protocols such 
as "BBBSS" Jl5| and "Cascade" [0 have been proposed for error correction in QKD.f] The 



x By stabilizer-based, I only mean that each operator that Alice measures is a Pauli operator. The 
various operators are not required to commute. 

2 I thank enlightening discussions with Tsz-Mei Ko and Norbert Liitkenhaus on this point. 

3 I thank Norbert Liitkenhaus for providing the references. 
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Cascade protocol, invented by Brassard and Salvail, for instance, has the advantages of 
being computationally highly efficient and also being one of the best methods in minimizing 
the number of exchanged bits between Alice and Bob. It works very well in a few percents 
bit error rate. Therefore, Cascade is well suited for implementations. Unfortunately, up till 
now, a proof of unconditional security of a QKD scheme based Cascade (and followed by, for 
example, standard Shor-Preskill || or Mayers || privacy amplification procedure) has been 
missing. A key contribution of this paper is to provide such a proof. The proof of security 
applies not only to Cascade, but to any (interactive or non-interactive) protocols for error 
correction that are based on parity computations in QKD. 

Another motivation for this work is to demonstrate the decoupling of error correction 
from privacy amplification. On the conceptual level, a QKD scheme consists of several 
steps — "advantage distillation" fl6|| , error correction and privacy amplification. Entangle- 



ment purification has recently been proposed by Shor and Preskill || as a useful framework 
for dealing with BB84. The work of Shor and Preskill built on earlier work in ]7] and has 
been subsequently extended in ]K| to protocols involving two-way communications and in 
to the six-state fT/J QKD scheme. 

Nonetheless, an important constraint remains in those works: The measurement opera- 
tors employed by Alice and Bob must commute locally. This local commutability constraint 
ensures that those observables are simultaneous observables. Therefore, the measurement of 
one observable does not introduce any "back-reaction" to the measurement of any other ob- 
servables. Such a local commutability constraint means that in analyzing QKD, one has to 
study both error correction and privacy amplification together and ensure that the observ- 
ables that Alice and Bob measure do commute locally. Therefore, this constraint complicates 
the analysis. 

Analysis of protocols of QKD would be greatly simplified if one could divide up its 
procedure into different components and analyze each component independently. A main 
contribution of this paper is to show that such a decoupling is, in fact, possible for error 
correction and privacy amplification. The upshot is that, one can study error correction 
and pick the best that one can find. Then, one studies privacy amplification and pick the 
best that one can find. Finally, one puts the two together and the composite will remain 
good. This result is reminiscient of the decoupling of source coding from error correction in 
classical coding theory^ 



III. BB84 

The best-known QKD scheme is BB84, in which the sender, Alice, prepares and sends 
to the receiver, Bob, a sequence of single photons randomly in one of the four polarizations, 
horizontal, vertical, 45-degrees and 135-degrees. Bob then performs a measurement ran- 



4 Actually, the decoupling result in classical coding theory is stronger than what I have stated 
here. It shows that the combined protocol is optimal, even in the case of a finite block size. In 
contrast, no claim of optimality for the decoupling result for QKD is claimed in the present paper. 
The issue of optimality is beyond the scope of the current paper. 
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domly one of the two polarization bases — rectilinear and diagonal. BB84 is an example of 
standard "prepare-and-measure" protocols, which can be executed without quantum com- 
puters. Proving the security of BB84 against the most general attack by the eavesdropper, 
Eve, turned out to be a hard problem. 

A. entanglement purification based QKD 

Entanglement purification || has become a useful proof technique. Consider the following 
entanglement purification based QKD scheme. Alice prepares a sequence of say 2N EPR 
pairs and sends half of each pair to Bob. Owing to channel noises and eavesdropping 
attacks, those pairs will be corrupted. Alice and Bob randomly sample say N of their pairs 
to estimate the error rates in the two bases. If the error rates are too high, they abort. 
Otherwise, they now apply a so-called entanglement purification protocol (EPP) C, which 
distills from the N remaining impure pairs a smaller number, say m, of almost perfectly 
entangled EPR pairs. They then measure those pairs to generate a secure key. 

First of all, suppose Alice and Bob share m nearly perfect EPR pairs and generate a key 
by measuring them. The following theorem shows that Eve cannot have much information 
on the key. 

Theorem 1 ( [^]) // a density matrix p has high fidelity F to a state of m perfect EPR 
pairs, and Alice and Bob produce their key by measuring individual qubits of p, then with 
high probability, Alice and Bob have identical m-bit strings k with a uniform distribution, 
and Eve has essentially no information about k. In fact, if F — > 1 exponentially with m, 
then Eve 's information approaches exponentially with m as well^ 

Definition: Bell-basis. Given a pair of qubits, a convenient basis to use is the Bell-basis, 
which has Bell states as its basis vectors. The Bell states are of the form: 

* ± = ^=(1 Tl) ± I IT)) (i) 

and 

^ ± = ^(in>±iu»- (2) 

It is convenient to label them by two bits such that: 

$+ = 00 
m + = 01 
$ _ = 10 
* _ = 11. 



5 As discussed in [18], if we demand that Eve's information is bounded by some small number 



independent of k, then the number of test particles only scales logarithmically with k. 
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Definition: N-Bell basis and BDSW notations. Suppose Alice and Bob share iV pairs of 
qubits. A convenient basis to use the iV-Bell basis. That is to say, each basis vector is the 
tensor product state of iV Bell basis vectors. Following Eq. |3|, it is convenient to label an 
iV-basis vector by 2N bits. This is the notation employed by Bennett, DiVincenzo, Smolin 



Definition: Pauli operator. A Pauli operator, V, is defined as a tensor product of single- 



Definition: Stabilizer. An Abelian group whose generators are Pauli operators is called 
a stabilizer group. 

Definition: Correlated Pauli strategies. An eavesdropper, Eve, is said to be employing 
a correlated Pauli strategy if she applies a Pauli operator, V{, to the quantum signals with 
some probability p^. 

Definition: Symmetric stabilizer-based EPP. An EPP is called symmetric, stabilizer- 
based if it involves Alice and Bob measuring operators that are the generators of some 
stabilizer group. 

While Eve may use any eavesdropping strategy, the following theorem states essentially 
that, to consider security, one only needs to consider correlated Pauli strategies. 

Theorem 2 (Adapted from jffl) Suppose Alice creates M EPR pairs and sends half of each 
to Bob. Alice and Bob then test the error rates, px and pz, along the X and Z bases for 
randomly chosen disjoint subsets, si and S2, each ofm^M objects respectively. If the error 
rate is too high, they abort. Otherwise, they peform an EPP C on the remaining N = M—2m 
pairs to try to distill out k EPR pairs of high fidelity. Suppose, the EPP C can correct up to 
N(px + s) phase errors and up to N(pz + e) bit-flip errors. Define a Hilbert subspace H. gc ,od 
of the N EPR pairs to be the subspace spanned by N -Bell-states with good error patterns, 
(i.e., with up to N(px + s) phase errors and up to N(pz + e) bit-flip errors). Let us denote 
the projection operator into TC goo d by II. Then, we have the following: 

Given any eavesdropping strategy, Si, by Eve, there exists a correlated Pauli strategy, S2, 
by Eve that will yield exactly the same values to the following two important quantitites: 

(i) P (verification test is passed by the test sample | Si, s 2 ) 

and 

(11) tr(Up), 

for all choices of si, and S2- 

Sketch of Proof. The "commuting observables" idea in J7J is employed. An eavesdropping 
strategy is defined by the choice of an ancilla and the unitary transformation between the 
combined system of the ancilla and the N EPR pairs. Given any eavesdropping strategy Si 
by Eve, let us consider a fixed but arbitrary choice of sampling subsets, si, and s 2 - Let Sl>S2 
be the observable that determines whether the verification test is passed. Recall that n is 
defined as the projection operator into the good (i.e., correctable) Hilbert space. Consider 
also W, the observable that gives the 2M-bit string respresenting the state w in the BDSW 
notation. Since all the observables, SliS2 's, IPs and W are simultaneously diagonalizable 
in the M-Bell basis, they all commute with each other. Therefore, it is mathematically 



and Wootters (BDSW) §. 



qubit operators of the form I (the identity), X, Y and Z where X 
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consistent to assign probabilities to the simultaneous eigenvalues of those observables, thus 
giving rise to the two quantities P(verification test is passed by the test sample | s\, s 2 ) and 
tr(Ilp) for all possible choices of Si, and s 2 . 

Now, imagine applying a hypothetical measurement W to Alice and Bob's state before 
the measurements of SljS2 's and EE's. Given that W commutes with SliS2 's and It's, a 
prior measurement of W in no way effects the outcomes of measurements of Sl)S2 's and 
It's. In other words, if Eve pre- measures the state in the iV-Bell-basis (i.e., measures W), 
neither the probability of passing the verification test, nor the probability of being in the 
good Hilbert space will be affected by such a prior measurement. However, with such a 
prior measurement, Eve has reduced her eavesdropping strategy Si to a correlated Pauli's 
strategy, S 2 . 

Remark This commuting observables idea applies to all symmetric stabilizer-based EPPs 
including ones that involve two-way classical communications. 

Theorem ^| is telling us that one can treat the two important quantities — i) the probability 
of passing a verification test and ii) the probability of being in a good Hilbert space, tr(Up)— 
as classical. In essence, one can apply classical sampling theory to a quantum problem. 
Furthermore, tr(Up) provides a bound to the fidelity of the corrected EPR pairs: 

Theorem 3 ( [|8|, |l9|1 ) Consider a stabilizer-based EPP C which distills m EPR pairs from 
n impure pairs. Suppose C works perfectly in a Hilbert subspace TC goo d, which is spanned by 
Bell-states with good error patterns (i.e., correctable by C). Denote the projection operator 
onto Tigood by n. If we apply the EPP C to an initial state p, then the fidelity of the recovered 
state as m EPR pairs is bounded below by 

F = (^\p rec .\¥ m ^)>tr(Up). (3) 

Here, p rec , is the recovered state after error correction, $ ( - m ^ is the m-EPR pair state. 

Proof. This Theorem follows from standard stabilizer quantum error correcting code 
(QECC) theory. An explicit proof of essentially the same result can be found in ||19|| . Q.E.D. 



B. reduction to BB84 via CSS codes 



Because of Theorem [3], EPP based QKD schemes are particularly convenient to analyze. 
Unfortunately, they are difficult to implement because they generally require Alice and 
Bob to possess quantum computers. A key insight of Shor and Preskill is to remove the 
requirement of quantum computers by showing that, in fact, the security of a special class 
of EPP based QKD schemes implies the security of BB84. More concretely, they considered a 



special class of quantum error-correcting codes, called Calderbank-Shor-Steane (CSS) p0|j21 
codes (see below for properties of CSS codes) and proved the following theorem: 

Theorem 4 ( [g|) Given an EPP-based QKD scheme that is based on a CSS code and a 
verification procedure that involves only two bases, its security implies the security of a BB84 
scheme. 
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Remark: Similarly, when the verification procedure involves three bases, an analogous 
Theorem shows that the security of an EPP-based QKD scheme that is based on a CSS code 
implies the security of the six-state scheme. 

We shall refer the readers to [jS,19| for details of the proof of Theorem f|. A CSS code 



is a stabilizer-based quantum code with generators that are either i) tensor products of the 
identities and Z's only or ii) tensor products of the identities and X's only. It has the 
advantage that the phase and bit-flip error correction procedures are totally decoupled from 
each other.0 

More concretely, a CSS code is defined as follows: Consider a binary linear classical code 
C\ and its subcode C 2 . A codeword of a CSS code is an equal superposition of codewords 
of C\ that are in the same coset of C 2 : 

I0«>=EI« + V >- ( 4 ) 
V&C2 

Note that, if u± — u 2 G C 2 , then \4> Ul ) = \4>u 2 )- Therefore, the codeword of a CSS code is in 
one-one correspondence with the cosets of C 2 in C\. Suppose both C\ and the dual of C 2 , 
C2, can correct up to t errors. Then, the CSS code based on C\ and C 2 can correct up to t 
bit-flip errors and t phase errors. 

On reduction from EPP to BB84, the EPP leaves its mark as an error correction/privacy 
amplification protocol in the following manner. Alice sends a random quantum state \w) 
to Bob. Owing to noises in the channel and eavesdropping actions, Bob receives it as a 
corrupted string w + e. Afterwards, Alice picks a random codeword u 6 C\ and broadcasts 
w + u. Bob substracts this from his string to obtain u + e. He then corrects the error to 
obtain u. Finally, he generates the key as the coset -u + C 2 . Notice that, the cosets of a code, 
say C 2 , is in one-one correspondence with the error syndromes. Indeed, the value of the key 
is given by the error syndrome of the subcode C 2 for a codeword in G\. 

Using CSS codes and Theorem [|, BB84 is proven to be secure up to an error rate of 11 
percents. By using two-way classical communications, BB84 can be made secure at a much 
higher error rate of about 17 percentsj] This is due to the following theorem by Gottesman 
and myself |JT3 j , hich generalizes Theorem 01. 



6 Applying an operator X to a state will introduce a bit-flip error to the state. Similarly, applying 
an operator Z to a state will introduce a phase error. Finally, applying an operator Y will lead to 
both a bit-flip and a phase error. 

The intuitive reason why an EPP-based QKD can be reduced to BB84 is that Alice and Bob do 
not need to compute or announce their phase error syndromes. This is because the phase errors 
do not affect the value of the final key. Roughly speaking, randomizing the state over all possible 
phase error syndromes, one recovers BB84. In other words, provided that, from Eve's point of 
view, Alice and Bob could have performed the QKD scheme by quantum computers, the resulting 
BB84 scheme is secure. Alice and Bob do not really have to use quantum computers. 

7 Note that it has been shown that BB84 with only one-way classical communications is necessarily 
insecure at an error rate of about 15% 2^,23|. Therefore, this result in shows clearly that BB84 



with two-way classical communications is definitely better than BB84 with only one-way classical 
communications . 
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Theorem 5 ( [ |13|| ) Suppose a two-way EPP satisfies the following conditions: 

1. (Symmetric) It can be described as a series of measurements Mi, with both Alice and 
Bob measuring the same Mi. 

2. (CSS-like) Each of its generators Mi can be written as either a) a product of X's only 
or b) a product of Z 's only. 

3. (Locally- commuting) Each pair of Mi and Mj commute locally in Alice's (or Bob's) 
side. 

4- (Conditional on Z's only) All conditional operations depend on the result of measuring 
Z operators only. 



Let us call such a protocol a reducible protocol. Claim: a reducible protocol can be con- 
verted to a standard "prepare- and-measure" QKD scheme with security equal to the EPP- 
based QKD scheme. 



Remark: Here, the notation has been slightly abused. By a products of Z's only, I 
actually mean a product of the identities and the Z's only. Similarly, for X's. 

Remark: If the verification stage involves two bases, then the "prepare-and-measure" 
QKD scheme is BB84. If it involves three bases, then the "prepare-and-measure" QKD 
scheme is the six-state scheme. 

We will refer the readers to [ 13 1 for the details of the proof of Theorem EjL 



IV. CONSTRAINT ON LOCAL COMMUTABILITY 



Theorem [| is a strong result in QKD. Nonetheless, the constraint |^ in Theorem [5] seriously 
restricts its applicability. In the EPP picture, the constraint demands that all the local 
measurement operators that Alice and Bob employ must commute locally with each other. 
Therefore, one is not at liberty to choose the bit-flip and phase error correction measurement 
operators independently. 

I remark that the local commutability constraint is a big obstacle in the application 
of Theorem [5] to prove the security of interactive Cascade scheme |12| for error correction 
proposed by Brassard and Salvail. Recall the Cascade protocol involves a binary search 
subroutine, "BINARY" , by Alice and Bob, which allows them to identify the location of an 
error. The binary search subroutine, BINARY, involves the computation of the parity of 
a set and subsequently dividing it into two sets and computing the parity of each subset, 
etc, until the location of the error is found. Note that at the end of BINARY, the size of 
a subset is reduced to a single object, which means Alice (and also Bob) has to announce 
the eigenvalue Zi of a single qubit at location i (i.e., the i-th. qubit). Now, any quantum 
error correcting procedure that corrects the phase error of the announced bit must contain 
a measurement operator M with a component Xj for also the i-th qubit. This means that 
M anti-commutes, rather than commutes with Z^. In conclusion, with Cascade protocol, it 
would be impossible to correct all the phase errors. Therefore, the application of Theorem |5| 
to the Cascade protocol looks problematic. 
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A. Using ancillary EPR pairs 



To resolve this problem of local non-commutability, notice that a) all symmetric mea- 
surement operators, Mj = Mf <S> Mf do commute globally and b) in many cases, only this 
relative error syndrome between Alice and Bob is of interest. For instance, in BINARY, 
Alice and Bob are interested in only whether their corresponding parities agree or disagree, 
but not in the actual values of the individual parities. A simple method to bring two distant 
quantum systems together and allow a global operator to be measured is teleportation. To 
achieve teleportation, some ancillary EPR pairs must be shared by Alice and Bob. This 
motivates the basic insight of the current paper — to use ancillary EPR pairs to compute the 
relative error syndrome. 

Instead of teleportation, a more efficient way of measuring the global error syndrome will 
be employed. Here is a main theorem of the current paper. 

Theorem 6 Suppose Alice and Bob share a number of impure EPR pairs and they would 
like to compute r symmetric global operators each of the form Mi = Mf®Mf (As before, by 
symmetric, it means that Mf is the same as Mf except that they act on Alice's and Bob's 
Hilbert spaces respectively) and Mf is a Pauli operator. Suppose further that they would like 
to know only the eigenvalues of Mi 's, but otherwise leave the state unchanged. The claim is 
that they can do so with r ancillary EPR pairs. 

Sketch of Proof. The notation is such that an EPR pair is an eigenstate of ZZ and XX, 
with eigenvalue +1 for both. Let us call the two qubits of the j-th EPR pair shared by 
Alice and Bob, A'a and B'j respectively. For each operator, Mj, Alice measures Mf ® Za>. 
and broadcasts her outcome and Bob measures Mf ® Zu' and broadcasts his outcome. 
The relative outcome, the product of Mf <g> Z^_ <g> Mf ® Z B i_ gives the eigenvalue of the 
operator Mj (because the state of the ancillary EPR pair gives an eigenvalue +1 for the 
operator Z^<S>Z B /). More importantly, by an explicit calculation analogous to the argument 
in teleportation, one can show that no disturbance to the state is made except for the 
determination of the eigenvalue of Mj = Mf ® Mf . Q.E.D. 

The above theorem employs a generalization of the so-called breeding method for EPP, 
studied in || (see also 0). In M, the breeding method was only mentioned on passing 
because it had been superseded by the standard hashing method, which can be performed 
without ancillary EPR pairs. Let me call a general EPP that involves ancillary EPR pairs 
a generalized breeding protocol/method. In contrast to prior art, here I notice that the 
generalized breeding protocol is, in general, not reducible to a non-breeding protocol. In 
fact, it is more powerful because it allows the decoupling of error correction from privacy 
amplification. In summary, the decoupling of error correction from privacy amplification is 
achieved at the price of introducing ancillary EPR pairs shared by Alice and Bob. 

I remark that the calculation of Mf g) Z^ (and similarly Mf ® Zb 1 ) in Theorem ^| can, 
indeed, be done by local quantum gates. The actual quantum circuit diagram is very similar 
to the ones discussed in for example, and ||]. Since the actual construction is outside the 
main theme of this paper, the details will be skipped here. 
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B. Reduction to BB84 



Using ancillary EPR pairs in a generalized breeding protocol, the above subsection shows 
that one can decouple error correction from privacy amplification in a QKD scheme. How- 
ever, such a scheme generally requires a quantum computer to implement. So, the next 
question is: how to reduce the above protocol to standard BB84? Here is the second main 
Theorem of the current paper. 

Theorem 7 Suppose a two-way EPP satisfies the following conditions: 

1. (Symmetric) It can be described as a series of measurements Mi, with both Alice and 
Bob measuring the same Mj. 

2. (CSS-like) Each of its generators Mi can be written as either a) a product of X 's only 
or b) a product of Z 's only. Let me call them Mx and Mz operators respectively. 

3. (r-locally-non- commuting) There exists a set of r Mz operators, which, thereafter I 
shall call the non-commuting set such that, after deleting them from the set of mea- 
surements, each pair of operators Mj and M^ chosen from the remaining set of mea- 
surements commute locally in Alice's (or Bob's) side. 

4- (Conditional on Z's only) All conditional operations depend only on the result of mea- 
suring Z operators. 

Then the protocol can be converted to a standard "prepare- and-measure" QKD scheme 
with security equal to the EPP-based QKD scheme, provided that Alice and Bob initially 
share an r-bit secret string and use it to encode the measurement outcome of Mz 's of the 
non-commuting set in Condition 

Sketch of Proof. Combine the proofs of Theorems |5| and || In other words, the proof of 
Theorem |6] can be used to relax the constraint of local commutability in Theorem [5], thus 
giving Theorem [7]. 

We have the following Corollary: 

Corollary 8 Consider the purification of N impure EPR pairs. Suppose one is given a 
symmetric stabilizer-based bit-flip (interactive or one-way) error correction procedure with s 
operators Mz 's and also a symmetric stabilizer-based phase error correction procedure with 
t operators Mx 's acting on the N pairs. 



Note that the same key is used to encode the measurement outcomes in both Alice and Bob's 
sides. This is because the relative error syndrome is allowed to be disclosed to Eve. 

9 Note that the final key is now a coset of C2 in Frf, whereas in Shor-PreskilPs proof, the key is 
a coset of C2 in C\. The difference is due to the fact that, in Theorem ||, an ancillary secret is 
sacrified. The net key generation rate is the same if Theorem ^ is applied in lieu of Shor-Preskill's 
proof. 
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Claim: The combined error correction/privacy amplification protocol can be reduced to a 
standard prepare- and-measure QKD protocol, provided that Alice and Bob initially share an 
s-bit secret string. Having sacrificed the initial s-bit string, the output of the procedure is an 
N — t-bit secret string^ 

Remark: As an application of the above Corollary, the following protocol for error cor- 
rection/privacy amplification of QKD is unconditional secure: Step 1: the Cascade scheme 
for error correction, modified by the one-time-pad encryption of its bit-flip error syndrome, 
followed by Step 2: a random hashing procedure |6]||. Notice that this is a rather efficient 
protocol in terms of both the key generation rate and computational power. 

For schemes involving concatenation, there is the following Corollary: 

Corollary 9 Suppose an EPP, C is a concatenation of two subroutines, S% and S2, where 
the first subroutine, S± satisfies all the conditions in Theorem |3| (i.e., symmetric, CSS- 
like, locally- commuting and conditional on Z's only) and the second subroutine, S2 satisfies 
Theorem |^ as an r-locally-noncommuting (symmetric, CSS-like, conditional on Z's only) 
EPP. Then, the protocol C can be converted to a prepare- and-measure QKD protocol with 
the same security, provided that Alice and Bob initially share an r-bit secret string and use 
it for one-time-pad encryption of the measurement outcomes of the r pazr^] of measurement 
outcomes in the non-commuting set. 

The upshot of the above Corollary is that the decoupling result remains valid even when 
there are two way classical communications [|13|] and even when concatenated codes are 
employed. 



V. CONCLUDING REMARKS 

In summary, I have considered a rather general class of entanglement purification 
schemes, more specifically, symmetric, stabilizer-based schemes and their reduction to BB84. 
It was shown that in those schemes, the procedure for error correction can be decoupled from 
the procedure for privacy amplification. The decoupling is achieved by requiring Alice and 
Bob to share a modest initial string and use it for the one-time-pad encryption of the bit-flip 
error syndrome. This is no change in the net key generation rate because the loss of this 
initial string will be exactly compensated by the generation of a longer key. (See footnotes 8 
and 9.) As a corollary, I prove the security of the Cascade scheme, modified by one-time-pad 
encryption of error syndrome, followed by a random hashing privacy amplification proce- 
dure. This is an efficient scheme in terms of both key generation rate and computational 
power. 



See footnote 9. 
See footnote 8. 
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